krb5: Update to 1.21.1 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
commit	0320e0d5bb9fbb5da53478b3fd80ad79b110191d (patch)
tree	e1185f75bd2d3f87b0c17f787debc3ee8648214b /doc/html/admin/conf_files/kadm5_acl.html
parent	b0e4d68d5124581ae353493d69bea352de4cff8a (diff)

vendor/krb5/1.21.1

Diffstat (limited to 'doc/html/admin/conf_files/kadm5_acl.html')

-rw-r--r--

doc/html/admin/conf_files/kadm5_acl.html

1 files changed, 50 insertions, 49 deletions

diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html
index 05eab8bbae62..2436e7e23c49 100644
--- a/doc/html/admin/conf_files/kadm5_acl.html
+++ b/doc/html/admin/conf_files/kadm5_acl.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>kadm5.acl — MIT Kerberos Documentation</title>

+ <title>kadm5.acl — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />

- <link rel="up" title="Configuration Files" href="index.html" />

</head>

@@ -61,25 +59,25 @@

- <div class="body">

+ <div class="body" role="main">

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

-The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a> daemon uses an Access Control List

+The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a> daemon uses an Access Control List

(ACL) file to manage access rights to the Kerberos database.

For operations that affect principals, the ACL file also controls

which principals can operate on which other principals.

The default location of the Kerberos ACL file is

-<a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><tt class="docutils literal">/krb5kdc</tt><tt class="docutils literal">/kadm5.acl</tt> unless this is overridden by the acl_file

-variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>.

+<a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal">/krb5kdc</code><code class="docutils literal">/kadm5.acl</code> unless this is overridden by the acl_file

+variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>.

</div>

<h2>SYNTAX<a class="headerlink" href="#syntax" title="Permalink to this headline">¶</a></h2>

-Empty lines and lines starting with the sharp sign (<tt class="docutils literal">#</tt>) are

+Empty lines and lines starting with the sharp sign (<code class="docutils literal">#</code>) are

ignored. Lines containing ACL entries have the format:

-<div class="highlight-python"><div class="highlight"><pre>principal permissions [target_principal [restrictions] ]

+<div class="highlight-default"><div class="highlight"><pre>principal permissions [target_principal [restrictions] ]

</pre></div>

</div>

@@ -91,7 +89,7 @@ will control access for an actor principal on a target principal.

<dt>principal</dt>

<dd>(Partially or fully qualified Kerberos principal name.) Specifies

the principal whose permissions are to be set.

-Each component of the name may be wildcarded using the <tt class="docutils literal">*</tt>

+Each component of the name may be wildcarded using the <code class="docutils literal">*</code>

character.

</dd>

<dt>permissions</dt>

@@ -129,13 +127,13 @@ is permitted.

<td>[Dis]allows the modification of principals or policies</td>

</tr>

-<td>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop">Incremental database propagation</a>)</td>

+<td>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop">Incremental database propagation</a>)</td>

</tr>

<td>[Dis]allows the explicit setting of the key for a principal</td>

</tr>

-<td>Short for admcilsp. All privileges (except <tt class="docutils literal">e</tt>)</td>

+<td>Short for admcilsp. All privileges (except <code class="docutils literal">e</code>)</td>

</tr>

@@ -146,7 +144,7 @@ is permitted.

</dl>

Note

-The <tt class="docutils literal">extract</tt> privilege is not included in the wildcard

+The <code class="docutils literal">extract</code> privilege is not included in the wildcard

privilege; it must be explicitly assigned. This privilege

allows the user to extract keys from the database, and must be

handled with great care to avoid disclosure of important keys

@@ -159,10 +157,10 @@ granted privilege.

<dt>target_principal</dt>

<dd>(Optional. Partially or fully qualified Kerberos principal name.)

Specifies the principal on which permissions may be applied.

-Each component of the name may be wildcarded using the <tt class="docutils literal">*</tt>

+Each component of the name may be wildcarded using the <code class="docutils literal">*</code>

character.

target_principal can also include back-references to principal,

-in which <tt class="docutils literal">*number</tt> matches the corresponding wildcard in

+in which <code class="docutils literal">*number</code> matches the corresponding wildcard in

principal.

</dd>

<dt>restrictions</dt>

@@ -172,13 +170,13 @@ in which <tt class="docutils literal">*number</tt> matc

<dt>{+|-}flagname</dt>

<dd>flag is forced to the indicated value. The permissible flags

are the same as those for the default_principal_flags

-variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>.</dd>

+variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>.</dd>

<dt>-clearpolicy</dt>

<dd>policy is forced to be empty.</dd>

<dt>-policy pol</dt>

<dd>policy is forced to be pol.</dd>

<dt>-{expire, pwexpire, maxlife, maxrenewlife} time</dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate">getdate time</a> string) associated value will be forced to

+<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate">getdate time</a> string) associated value will be forced to

MIN(time, requested value).</dd>

</dl>

</div></blockquote>

@@ -195,52 +193,52 @@ restarted for changes to take effect.

<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2>

Here is an example of a kadm5.acl file:

-<div class="highlight-python"><div class="highlight"><pre>*/admin@ATHENA.MIT.EDU * # line 1

-joeadmin@ATHENA.MIT.EDU ADMCIL # line 2

-joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3

-*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4

-*/root@ATHENA.MIT.EDU l * # line 5

-sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6

+<div class="highlight-default"><div class="highlight"><pre>*/admin@ATHENA.MIT.EDU * # line 1

+joeadmin@ATHENA.MIT.EDU ADMCIL # line 2

+joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3

+*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4

+sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6

</pre></div>

</div>

-(line 1) Any principal in the <tt class="docutils literal">ATHENA.MIT.EDU</tt> realm with an

-<tt class="docutils literal">admin</tt> instance has all administrative privileges except extracting

+(line 1) Any principal in the <code class="docutils literal">ATHENA.MIT.EDU</code> realm with an

+<code class="docutils literal">admin</code> instance has all administrative privileges except extracting

keys.

-(lines 1-3) The user <tt class="docutils literal">joeadmin</tt> has all permissions except

-extracting keys with his <tt class="docutils literal">admin</tt> instance,

-<tt class="docutils literal">joeadmin/admin@ATHENA.MIT.EDU</tt> (matches line 1). He has no

-permissions at all with his null instance, <tt class="docutils literal">joeadmin@ATHENA.MIT.EDU</tt>

-(matches line 2). His <tt class="docutils literal">root</tt> and other non-<tt class="docutils literal">admin</tt>, non-null

-instances (e.g., <tt class="docutils literal">extra</tt> or <tt class="docutils literal">dbadmin</tt>) have inquire permissions

-with any principal that has the instance <tt class="docutils literal">root</tt> (matches line 3).

-(line 4) Any <tt class="docutils literal">root</tt> principal in <tt class="docutils literal">ATHENA.MIT.EDU</tt> can inquire

+(lines 1-3) The user <code class="docutils literal">joeadmin</code> has all permissions except

+extracting keys with his <code class="docutils literal">admin</code> instance,

+<code class="docutils literal">joeadmin/admin@ATHENA.MIT.EDU</code> (matches line 1). He has no

+permissions at all with his null instance, <code class="docutils literal">joeadmin@ATHENA.MIT.EDU</code>

+(matches line 2). His <code class="docutils literal">root</code> and other non-<code class="docutils literal">admin</code>, non-null

+instances (e.g., <code class="docutils literal">extra</code> or <code class="docutils literal">dbadmin</code>) have inquire permissions

+with any principal that has the instance <code class="docutils literal">root</code> (matches line 3).

+(line 4) Any <code class="docutils literal">root</code> principal in <code class="docutils literal">ATHENA.MIT.EDU</code> can inquire

or change the password of their null instance, but not any other

-null instance. (Here, <tt class="docutils literal">*1</tt> denotes a back-reference to the

+null instance. (Here, <code class="docutils literal">*1</code> denotes a back-reference to the

component matching the first wildcard in the actor principal.)

-(line 5) Any <tt class="docutils literal">root</tt> principal in <tt class="docutils literal">ATHENA.MIT.EDU</tt> can generate

+(line 5) Any <code class="docutils literal">root</code> principal in <code class="docutils literal">ATHENA.MIT.EDU</code> can generate

the list of principals in the database, and the list of policies

in the database. This line is separate from line 4, because list

permission can only be granted globally, not to specific target

principals.

(line 6) Finally, the Service Management System principal

-<tt class="docutils literal">sms@ATHENA.MIT.EDU</tt> has all permissions except extracting keys, but

+<code class="docutils literal">sms@ATHENA.MIT.EDU</code> has all permissions except extracting keys, but

any principal that it creates or modifies will not be able to get

postdateable tickets or tickets with a life of longer than 9 hours.

</div>

<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Permalink to this headline">¶</a></h2>

The ACL file can coexist with other authorization modules in release

-1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth">kadm5_auth interface</a> section of

-<a class="reference internal" href="krb5_conf.html#krb5-conf-5">krb5.conf</a>. The ACL file will positively authorize

+1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth">kadm5_auth interface</a> section of

+<a class="reference internal" href="krb5_conf.html#krb5-conf-5">krb5.conf</a>. The ACL file will positively authorize

operations according to the rules above, but will never

authoritatively deny an operation, so other modules can authorize

operations in addition to those authorized by the ACL file.

To operate without an ACL file, set the acl_file variable in

-<a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a> to the empty string with <tt class="docutils literal">acl_file = ""</tt>.

+<a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a> to the empty string with <code class="docutils literal">acl_file = ""</code>.

</div>

-<a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a>

+<a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a>

</div>

@@ -271,11 +269,12 @@ operations in addition to those authorized by the ACL file.

<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current">

-<li class="toctree-l3 current"><a class="current reference internal" href="">kadm5.acl</a></li>

+<li class="toctree-l3 current"><a class="current reference internal" href="#">kadm5.acl</a></li>

</ul>

</li>

<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>

<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>

+<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li>

<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>

<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>

<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>

@@ -283,6 +282,8 @@ operations in addition to those authorized by the ACL file.

<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>

<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>

<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>

+<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li>

+<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li>

<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>

<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>

<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>

@@ -322,8 +323,8 @@ operations in addition to those authorized by the ACL file.

- <div class="right" >Release: 1.16

+ <div class="right" >Release: 1.21.1

</div>